Top/Articles/IBM WebSphere vulnerability roundup: CVE-2026-8633 and the latest July additions
ibm-vulnerability-roundup-2026-05-cover-en

IBM WebSphere vulnerability roundup: CVE-2026-8633 and the latest July additions

A continuously updated roundup of critical IBM WebSphere-family vulnerabilities. The most severe is CVE-2026-8633 (CVSS 9.8), an unauthenticated server takeover. On top of June's four RCE flaws, June 30 – July 1, 2026 added three admin-console XSS issues (CVE-2026-11708 and others) and a Liberty SSRF, with a version-by-patch table to prioritize fixes.

NewsPublished May 27, 2026Last updated July 1, 2026
Table of contents
Key takeaways

A continuously updated roundup of critical IBM WebSphere-family vulnerabilities. The most severe is CVE-2026-8633 (CVSS 9.8), an unauthenticated server takeover. On top of June's four RCE flaws, June 30 – July 1, 2026 added three admin-console XSS issues (CVE-2026-11708 and others) and a Liberty SSRF, with a version-by-patch table to prioritize fixes.

IBM keeps disclosing critical WebSphere flaws β€” four more admin-console XSS and SSRF issues in July

In the second half of May 2026, IBM published more than ten security bulletins across WebSphere Application Server, Engineering Lifecycle Management (ELM), and adjacent enterprise products. Two of them carry a CVSS base score of 9.8 (Critical), are unauthenticated, and are network-reachable β€” enough to force enterprise IT teams to rework their May–June patch plans.

This roundup focuses on the two headline items β€” remote code execution in WebSphere Web Server Plug-ins (CVE-2026-8633) and the unauthenticated authorization bypass in ELM (CVE-2026-3660) β€” and then walks through the mid-severity siblings disclosed in the same window. The goal is to give enterprise teams a concrete answer to "which WebSphere or ELM Interim Fix do I queue first?"

As of June 2026, none of the WebSphere or ELM items here is on the CISA Known Exploited Vulnerabilities catalog, and no public proof-of-concept code has been released. Given the unauthenticated takeover profile and the fact that the deserialization type has been exploited repeatedly in the past, read the urgency as patch within one to two weeks, not "tonight," but not "next quarter" either.

On June 1, 2026, IBM disclosed four more critical WebSphere Application Server flaws (CVE-2026-8644 / 9311 / 9319 / 9330), affecting the 8.5 and 9.0 branches, topping out at CVSS 9.1, with three of them enabling remote code execution. This roundup now tracks that June second wave alongside the May items. Separately, the other major business server, Oracle WebLogic, has a flaw already exploited in the wild β€” CVE-2024-21182 was added to CISA's KEV the same week β€” so organizations running both should check together. For a cross-vendor view of the major enterprise-product vulnerabilities affecting organizations in Japan, see our 2026 Japan enterprise vulnerability roundup as well.

Then, on June 30 – July 1, 2026, IBM added four more WebSphere-family flaws: three are cross-site scripting issues in the administrative console (CVE-2026-11708 / 11712 / 11594), and one is a server-side request forgery (SSRF) in WebSphere Liberty (CVE-2026-11714). Unlike the unauthenticated remote code execution of the earlier waves, these are a notch milder β€” they require luring an admin into a crafted link, or a specific feature being enabled β€” but they still matter when the people who run the admin console are the ones being targeted. The next section breaks them down.

July 2026 additions: three admin-console XSS flaws and a Liberty SSRF (CVE-2026-11708 and others)

The four flaws IBM disclosed on June 30 – July 1, 2026 are all in the WebSphere family, but they differ in kind from the earlier remote code execution. Three are cross-site scripting (XSS) in the administrative console β€” they need a user, typically an administrator, to be lured into a crafted link β€” and one is an SSRF in Liberty. Here's the list first.

CVEProduct / versionCVSSTypeCondition
CVE-2026-11708WebSphere AS
(8.5 / 9.0)
9.3Admin console
XSS
Lure an admin
to a crafted link
CVE-2026-11712WebSphere AS
(8.5 / 9.0)
9.3Admin console
XSS
Lure an admin
to a crafted link
CVE-2026-11594WebSphere AS
(8.5 / 9.0)
8.5Admin console
XSS (adjacent)
Same network
+ lure an admin
CVE-2026-11714WebSphere Liberty
(17.0.0.3–26.0.0.7)
8.5SSRF
(CWE-918)
Login + apiDiscovery
enabled

CVE-2026-11708 / CVE-2026-11712 (CVSS 9.3): admin-console XSS

Both are cross-site scripting (XSS, CWE-79) in the help system of the WebSphere Application Server admin console (8.5 and 9.0). XSS embeds a crafted string into a page so that the attacker's script runs in the browser of whoever opens it. The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N: no login is required (PR:N), but it needs an administrator to open the attacker's link (UI:R). If a console operator takes the bait, actions on the console can be hijacked under their privileges. The 9.3 score reflects that the impact spreads beyond the console itself (S:C).

CVE-2026-11594 (CVSS 8.5): admin-console XSS (adjacent network)

Also an admin-console XSS, but the attacker must be on an adjacent network (AV:A, e.g. the same LAN), which lowers the score to 8.5 (CVE-2026-11594). It affects the same WebSphere AS 8.5 and 9.0 branches. The narrower reach reduces the risk, but it still warrants attention where the console is open on the internal network.

CVE-2026-11714 (CVSS 8.5): Liberty SSRF (needs login, apiDiscovery enabled)

One of the four is a different beast. CVE-2026-11714 is a server-side request forgery (SSRF, CWE-918) in WebSphere Liberty (17.0.0.3–26.0.0.7). SSRF uses the server as a stepping stone to reach internal resources that shouldn't be reachable from outside. The CVSS vector is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N: exploitation requires a login (low privilege, PR:L) and only applies when the apiDiscovery-1.0 feature is enabled. If you don't use it, disabling that feature is an effective mitigation.

The fix for all four is IBM's Interim Fix or the latest fix pack. Config-side steps help too: don't expose the admin console to the internet or a wide internal network (narrowing the entry point for the three XSS flaws), and disable apiDiscovery if you don't use it (removing the precondition for the SSRF). See "The reality of applying an Interim Fix" below for the rollout approach. As of this article, we have not confirmed any CISA KEV listing or in-the-wild exploitation for these four.

The Buyers Lining Up for WebSphere on Top of Ledgers and Blueprints

What makes this WebSphere flaw dangerous is that someone with no login at all can reach the server directly over the internet. The people willing to pay for this hole are ransomware crews that encrypt core banking systems and demand a ransom, "initial access brokers" who find a way in and sell it to other attackers, and state-backed hackers after design data in automotive, semiconductors, defense, and aerospace.

What they want to carry off is banks' transaction records, unreleased earnings, aircraft and automotive blueprints, and medical-device certification dossiers. Both CVE-2026-8633 and CVE-2026-3660 are reachable without authentication, so once exploited, the whole server is taken over and that data flows straight out. A broker who finds the way in resells the route to ransomware leaders for a few thousand to tens of thousands of dollars per case, and the buyer encrypts the data to halt operations, then doubles the pressure with "pay up or we publish what we stole."

If attackers seize ELM (the platform that centrally manages product design data) that ties together the designs of finished vehicles, aircraft, and medical devices, the damage does not stop at one companyβ€”it spreads to parts suppliers and the hospitals that deploy those devices. The cleanup falls on the IT department and management: a breach brings reporting and customer-notification duties, explanations to business partners, damages, and lost trust. Whether you can close these holes before decades of accumulated blueprints, transaction history, and customer trust are pulled out in one motion is what decides the outcome.

A path where an unauthenticated hole lets ransomware shut down operations is not hypothetical. From 2025 into 2026, the ransomware attack on Asahi Group halted factories and logistics for a long stretch and even dented revenueβ€”all from allowing a single entry point. Because WebSphere sits at the foundation of so many core systems, it is worth acting before the same thing happens.

IBM May 2026 vulnerability roundup table

Below is a quick map of the main items, ordered roughly by how likely enterprise IT teams in financial services, manufacturing, and aerospace are to be running the affected component.

CVEProductCVSSTypeAuth
CVE-2026-11708 / 11712
Jun 30 – Jul 1
WebSphere AS
(8.5 / 9.0)
9.3Admin console XSS
(needs a click)
None (UI)
CVE-2026-11594
Jun 30 – Jul 1
WebSphere AS
(8.5 / 9.0)
8.5Admin console XSS
(adjacent)
None (UI)
CVE-2026-11714
Jun 30 – Jul 1
WebSphere Liberty
(17.0.0.3–26.0.0.7)
8.5SSRF
(needs login)
Required
CVE-2026-8644
June 1
WebSphere AS
(8.5 / 9.0)
9.1Auth bypass
(spoofing)
None
CVE-2026-9311
June 1
WebSphere AS
(8.5 / 9.0)
9.0Code injection
(RCE)
None
CVE-2026-9319
June 1
WebSphere AS
(8.5 / 9.0)
9.0Deserialization
(RCE, JAX-WS)
None
CVE-2026-9330
June 1
WebSphere AS
(8.5 / 9.0, SAML SSO)
8.5Deserialization
(RCE, SAML SSO)
Low priv.
CVE-2026-8633WebSphere AS
Web Server Plug-ins (8.5/9.0)
9.8RCENone
CVE-2026-3660Engineering Lifecycle Management
(7.0.3 / 7.1.0 / 7.2.0)
9.8Authz bypassNone
CVE-2026-1561WebSphere AS LibertyMediumSSRFNone
CVE-2026-29063immutable
(bundled with Liberty)
MediumPrototype pollutionNone
CVE-2026-1188WebSphere AS
(via Java SDK; multiple bundles)
MediumInformation disclosureNone
CVE-2026-32776
/32777/32778
IBM HTTP Server
(libexpat upstream, 3 CVEs)
MediumXML parsing flawsNone
CVE-2026-21925
/21945
WebSphere AS
(bundled with DevOps Code ClearCase)
MediumMultipleNone
CVE-2026-1726Guardium Key Lifecycle Manager
(4.1 to 5.1)
HighPrivilege escalationRequired

The newest June 1 batch and the May CVSS 9.8 items need different responses. The following sections work them in priority order, starting with the freshly disclosed June flaws.

June 1 second wave: four more WebSphere flaws

On June 1, 2026, IBM added four new WebSphere Application Server flaws. All affect the 8.5 and 9.0 branches, and the fix for each ships as an Interim Fix plus Fix Pack (roughly 9.0.5.28 / 8.5.5.30 or later as a guide). The per-CVE APAR numbers are listed in IBM's security bulletin list; we avoid stating exact numbers here so as not to point you to the wrong build.

CVE-2026-8644: authentication bypassed by spoofing (CVSS 9.1)

The most severe of the June batch, CVE-2026-8644, is classified as CWE-290 (authentication bypass by spoofing). Functions meant only for logged-in users can be reached by an attacker impersonating someone else. If reachable over the network, no prior login or user action is required β€” like walking in by holding up someone else's badge rather than breaking the front lock.

CVE-2026-9311: crafted input runs commands on the server (CVSS 9.0)

CVE-2026-9311 is remote code execution via CWE-94 (code injection). Exploiting a weakness that bypasses a security control lets an attacker's commands run directly on the server. NVD rates the attack complexity as somewhat high (AC:H), but no login or user action is required, and success means server takeover.

CVE-2026-9319: takeover via abused deserialization (CVSS 9.0)

CVE-2026-9319 is CWE-502 (unsafe deserialization of untrusted data). Tamper with the step that rebuilds incoming data into its original form, and commands hidden in the data run as-is. Here the entry point is a JAX-WS mechanism using the WS-Security standard. WebSphere has repeatedly carried this deserialization type, making it a familiar target for attackers.

CVE-2026-9330: takeover via SAML single sign-on (CVSS 8.5)

CVE-2026-9330 is the same deserialization type, but the entry point is the SAML single sign-on (SSO) processing. An attacker holding a low-privilege account could send a crafted request and run commands on the server. Requiring some privilege keeps the severity at 8.5, but it is more than enough for lateral movement once an attacker has an internal foothold. Check your configuration if you use SAML SSO.

Top priority: WebSphere Application Server RCE (CVE-2026-8633)

The most severe item disclosed by IBM in May 2026 is CVE-2026-8633. Per IBM's security bulletin, the Web Server Plug-ins component shipped with WebSphere Application Server and WebSphere Application Server Liberty contains a flaw that lets a specially crafted HTTP request execute arbitrary code on the server.

The bug classification is CWE-94: Improper Control of Generation of Code (Code Injection). The CVSS vector is `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` β€” network-reachable, low complexity, no authentication, no user interaction, full confidentiality / integrity / availability impact. About as close to a worst-case profile as you can get.

Affected: WebSphere AS 8.5 and 9.0 branches, plus Liberty deployments that pair with Web Server Plug-ins. WebSphere remains the default Java EE / Jakarta EE application server in large Japanese banks' core systems, retail chain backbones, manufacturing MES stacks, and government core systems. The 8.5 branch, released in 2014, is still in production at organizations paying for extended support β€” exactly the "running, do not touch" assets this bug targets.

As of May 26, 2026, no public proof-of-concept is circulating and the CVE is not on the CISA KEV catalog. Even so, the time from CVE assignment to public exploit for an unauthenticated RCE is typically short. Apply the Interim Fix from IBM's security bulletin as soon as your change window allows. If you cannot patch immediately, route traffic past the Web Server Plug-ins layer where feasible, and add WAF rules that block the specific request pattern disclosed by IBM.

Second priority: ELM unauthenticated authorization bypass (CVE-2026-3660)

Published the same day, CVE-2026-3660 is an unauthenticated authorization bypass in Engineering Lifecycle Management. CVSS 9.8, classification CWE-863: Incorrect Authorization. An attacker with no credentials can reach resources that are supposed to require authorization.

ELM is IBM's enterprise-grade application lifecycle suite β€” DOORS Next for requirements, Engineering Test Management for test, Engineering Workflow Management for issue and project tracking. It is heavily deployed in regulated software development (automotive, aerospace, defense, medical devices) and is present at most large Japanese automotive OEMs, aerospace and defense suppliers, and medical device manufacturers.

Per IBM's security bulletin, the affected versions and their fixes are:

  • ELM 7.0.3 up to Interim Fix 021 β†’ upgrade to IF022 or later
  • ELM 7.1.0 up to Interim Fix 009 β†’ upgrade to IF010 or later
  • ELM 7.2.0 up to Interim Fix 001 β†’ upgrade to IF002 or later

ELM is typically deployed inside the corporate network, so direct external attack surface is smaller than for WebSphere. That said, ELM contains an organization's requirements, designs, and test cases β€” the intellectual property of the entire product lifecycle. It is exactly the kind of repository attackers pivot to after a foothold. Land the Interim Fix in your current quarterly patch cycle at the latest.

Mid-severity siblings: Liberty SSRF, IBM HTTP Server libexpat trio, and more

These do not rise to the priority of the two CVSS 9.8 items but should ride the same patch cycle.

CVE-2026-1561: WebSphere Liberty SSRF

A request-forwarding bug in Liberty lets an attacker indirectly reach resources behind the server. Fix lands in Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026 per IBM). Managed Liberty services pick up the fix automatically; self-managed Liberty deployments wait for the Fix Pack.

CVE-2026-32776 / CVE-2026-32777 / CVE-2026-32778: IBM HTTP Server libexpat trio

Three upstream libexpat XML-parsing flaws inherited by IBM HTTP Server. Not direct RCE, but for organizations exposing SOAP / WS-* middleware via WebSphere, they can lead to denial-of-service or memory corruption. Update the IBM HTTP Server component.

CVE-2026-29063: immutable library Prototype Pollution

Prototype pollution in the mergeDeep() family of APIs in the JavaScript immutable library, which ships inside Liberty. Direct impact is limited unless your Liberty deployment hosts JavaScript code paths; for those, plan the upgrade.

CVE-2026-1726: IBM Guardium Key Lifecycle Manager privilege escalation

Guardium Key Lifecycle Manager (GKLM, formerly Tivoli Key Lifecycle Manager) versions 4.1 through 5.1. Authentication is required, so it's not an external one-shot, but post-foothold lateral movement to the key management plane neutralizes every piece of encryption in the environment. Critical security-foundation item even with the auth requirement.

Author's view: how to actually rank these in the enterprise

This section is opinion. If you sort by CVSS, the WebSphere RCE and the ELM bypass tie at 9.8. In practice, they should not be treated as the same priority.

First, the WebSphere RCE (CVE-2026-8633). The answer depends on whether you have any WebSphere instance reachable from the public internet. If yes, this is a "patch this week" item. Even for fully internal WebSphere deployments, lateral movement through a compromised endpoint makes the realistic window two weeks at the outside.

Second, the ELM authorization bypass (CVE-2026-3660). ELM is almost always deployed internally, so direct attack surface is lower than WebSphere. But ELM is where requirements, designs, and test cases live β€” intellectual property for regulated software organizations. Land the fix inside the current quarter (up to ~3 months).

Third, the mid-severity SSRF / libexpat / immutable items. WAF rules and network segmentation buy time while you wait for Fix Packs. Standard quarterly cycle is enough.

A blanket "treat every CVSS 9.0+ identically" policy hurts here. Treating WebSphere RCE and ELM as the same priority over-allocates effort to ELM at the expense of WebSphere β€” exactly the wrong direction given external-attack exposure.

Author's view: why IBM clusters vulnerability disclosures like this

IBM tends to publish security bulletins in waves clustered around May, August, November, and February. From the author's perspective, two structural reasons explain the pattern.

First, the Oracle Java Critical Patch Update quarterly cycle. WebSphere and ELM both ship with IBM Java SDK (an IBM fork of Oracle JDK), so IBM's update schedule rides Oracle's quarterly CPU. The April Oracle CPU produces the late-May IBM responses we're looking at now.

Second, IBM enterprise products bundle a large number of OSS components. WebSphere alone contains Java SDK, libexpat, XML parsers, and assorted JS libraries from upstream maintainers. Every upstream CVE triggers an "evaluate impact in IBM product, publish bulletin" loop. The libexpat trio and the immutable Prototype Pollution in this batch are direct echoes of upstream issues.

The practical implication: instead of reflexively chasing each individual CVE, organizations running IBM stacks should restructure patch management around quarterly batched responses. Reserve four annual patch windows up front, with a separate fast-lane for the rare CVSS 9.8 unauthenticated RCE exception.

Interim Fix application: minimum production checklist

This is a roundup, not a patch runbook β€” see IBM's documentation for full procedures. The minimum production checklist, common to WebSphere and ELM:

  • Download the version-specific Interim Fix from IBM Fix Central
  • Apply the Fix in DEV/STG environments first, run regression tests
  • Production apply in a scheduled maintenance window, one node at a time with load balancer drain
  • Verify the Fix number using versionInfo.sh (WebSphere) or the equivalent ELM build-info tool
  • Keep a rollback plan: pre-apply binary snapshot plus JVM configuration backup

The most common gotcha for Japanese enterprises specifically: WebSphere 8.5 is out of standard support. Without a Continuous Delivery extended-support contract, Interim Fixes do not get delivered at all. Start by checking your IBM contract status if you are still running 8.5.

FAQ

Is CVE-2026-8633 actively exploited?

Not as of May 26, 2026. The CVE is not on CISA's Known Exploited Vulnerabilities catalog and no public PoC has been released. Given the unauthenticated RCE profile, however, the time from disclosure to public exploit is typically short. Patch promptly.

Is WebSphere Liberty affected by CVE-2026-8633?

CVE-2026-8633 is in the Web Server Plug-ins component. A Liberty deployment that does not use Plug-ins is not directly exposed to this CVE. Liberty is separately affected by CVE-2026-1561 (SSRF) and CVE-2026-29063 (immutable Prototype Pollution); plan for Liberty Fix Pack 26.0.0.4 or later.

Where do I find the ELM Interim Fix numbers?

IBM's CVE-2026-3660 security bulletin lists the fixed Interim Fix numbers for ELM 7.0.3 / 7.1.0 / 7.2.0. Download from Fix Central and validate in a pre-production environment before applying.

Do Interim Fixes ship for WebSphere 8.5?

WebSphere 8.5 is out of standard support. Interim Fixes are only delivered if you have an active Continuous Delivery extended-support contract with IBM. If you do not, you should be evaluating a migration plan to 9.0 or Liberty.

Change log

  • ・2026-07-01: Added four WebSphere-family flaws disclosed June 30 – July 1 (admin-console XSS = CVE-2026-11708 / 11712 / 11594, and Liberty SSRF = CVE-2026-11714). Updated the lead, roundup table, a new "July 2026 additions" section, and references. Noted that, unlike the earlier RCE, these require user interaction or a specific feature being enabled and sit at medium-to-high severity.
  • ・2026-06-02: Integrated the four new WebSphere flaws disclosed June 1 (CVE-2026-8644 / 9311 / 9319 / 9330; three enable remote code execution). Updated the lead, roundup table, per-CVE coverage, and references, and cross-linked the actively exploited Oracle WebLogic flaw (CVE-2024-21182).
  • ・2026-05-27: Initial publication. Covers WebSphere Application Server Web Server Plug-ins RCE (CVE-2026-8633) and Engineering Lifecycle Management authorization bypass (CVE-2026-3660) as the headline items, with mid-severity siblings.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django